Internet attacks are slowing but gaining sophistication

Overall attack activity on the Internet decreased during the last six months of 2002, according to a semiannual cyberthreat report from Symantec Corp.

But the possibility of war with Iraq could reverse that trend, said Brian J. Finn, director of strategic programs and homeland security for the Cupertino, Calif., company.

'Any time the United States has been involved in a military action, we see an increase in foreign activity,' he said. 'So we need to be even more vigilant as we approach the possibility of hostilities.'

The bulk of the attacks reported by Symantec were the result of what are called blended-threat worms, which try to exploit multiple vulnerabilities. A worm with a high-impact payload continues to be the greatest risk to the Internet, the report released today said.

The rapid spread earlier this month of the SQL Slammer worm, which exploited only one vulnerability and had no payload, 'should be a warning call to us,' Finn said.

The February edition of the Internet Security Threat Report is the third released by Symantec. The first two were produced by Riptech Inc., which Symantec has acquired. The 57-page report charts trends culled from 30t of data collected from millions of intrusion detection and antivirus installations. The full report is available at www.symantec.com.

Although reported attack activity was down, the number of vulnerabilities being reported in software continues to grow, increasing by more than 81 percent in 2002. The large majority of the vulnerabilities are not considered particularly dangerous, but the percentage of those ranked at least moderately severe is beginning to grow, the report noted.

'The severe ones grew at a startlingly higher rate than the others,' said Tony Vincent, principal systems engineer. Vulnerabilities rated moderately to highly severe grew by nearly 85 percent last year, while those rated at a low-severity level grew by 24 percent.

The sheer number of weaknesses appears to be growing faster than hackers can write malicious code to exploit them. In 2001, attack code was available for nearly 30 percent of vulnerabilities. That figured dropped to about 24 percent last year.

'This trend may indicate that sophisticated writers of exploit code are not keeping up with the sheer volume of vulnerabilities, or that they are intentionally hiding exploit code from the public,' the report concluded.

But there still appears to be plenty of malicious code being used to take advantage of known vulnerabilities. More than three-quarters of the attacks detected by Symantec resulted from old blended threats, such as SQL Spida and Code Red, the report said.